Sharing Docker Containers in Google Container Registry
Imagine this scenario:
You are following Google Cloud best practices and have a project for your dev environment and another for your prod environment. You want to use Docker to make sure that the code you run in dev is the same you run in prod.
You write your code, dockerize it, and test it. Awesome, it works! Now you want to deploy it to production. You push the container to Google Container Registry in your dev project. But how do you pull it into your prod project?
If you pull the source code from source control and recreate the Docker container again, you are paying double for storage as well as introducing more complication into your deployment pipeline. Yuck!
What you want is a way to securely pull the Docker container from your dev environment. Luckily, Google Container Registry makes that easy!
Step 1: Get a service account
Go the the IAM service account section in your Dev project or where your Docker containers are pushed.
Create a new service account, name it “Container Registry Puller,” give it the “Storage Object Viewer” role, and make sure to furnish a new private key.
When you click “Create,” a JSON file will be downloaded to your computer. This is your service account key, which will be used to pull your Docker images. Make sure you don’t leak this key (DON’T check it into source control), otherwise anyone with it can pull all your containers and other objects you store in GCS!
Rename this file to docker_key.json
Step 2: Pull your containers
We can now use this keyfile directly with Docker.
In the same directory as your docker_key.json, run this exact command:
docker login -u _json_key -p “$(cat docker_key.json)” https://gcr.ioAt this point, you can just pull and run your containers with Docker. You don’t need to do anything else!
For example, if you had a container called “my-app:0.1” you could pull it with the following command:
docker pull gcr.io/<project-id>/my-app:0.1That’s it!
